qemu: qapi: Limit traversal depth for QAPI schema queries

Implicitly the query depth is limited by the length of the QAPI schema
query, but 'alternate' and 'array' QAPI meta-types don't consume a part
of the query string thus a loop on such types would get our traversal
code stuck in an infinite loop. Prevent this from happening by limiting
the nesting depth to 1000.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>

diff --git a/src/qemu/qemu_qapi.c b/src/qemu/qemu_qapi.c
index 0226d6c6590291cdf541bc8a63bbb5c421d45e58..93fcae0d44a6200eea53bbbdf15803d52a36d02f 100644 (file)
--- a/src/qemu/qemu_qapi.c
+++ b/src/qemu/qemu_qapi.c
@@ -74,9 +74,23 @@ struct virQEMUQAPISchemaTraverseContext {
     virHashTablePtr schema;
     char **queries;
     virJSONValuePtr returnType;
+    size_t depth;
 };
 
 
+static int
+virQEMUQAPISchemaTraverseContextValidateDepth(struct virQEMUQAPISchemaTraverseContext *ctxt)
+{
+    if (ctxt->depth++ > 1000) {
+        virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+                       _("possible loop in QMP schema"));
+        return -1;
+    }
+
+    return 0;
+}
+
+
 static void
 virQEMUQAPISchemaTraverseContextInit(struct virQEMUQAPISchemaTraverseContext *ctxt,
                                      char **queries,
@@ -329,6 +343,9 @@ virQEMUQAPISchemaTraverse(const char *baseName,
     const char *metatype;
     size_t i;
 
+    if (virQEMUQAPISchemaTraverseContextValidateDepth(ctxt) < 0)
+        return -2;
+
     if (!(cur = virHashLookup(ctxt->schema, baseName)))
         return -2;